IPSum suspicious and/or malicious IP addresses (Level 4)
TI Feed MISP IP Sum Level 4
Query
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountNameAbout this query
IPSum suspicious and/or malicious IP addresses (Level 4)
Source: IPSum
Feed information: https://github.com/stamparm/ipsum/
Feed link: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt
Defender XDR
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
ThreatIntelFeed
| where DestIP matches regex IPRegex
| distinct DestIP
);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIP)
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName
Sentinel
Explanation
This query is designed to identify network events involving suspicious or malicious IP addresses using data from the IPSum threat intelligence feed. Here's a simplified breakdown of what the query does:
-
Fetch Threat Intelligence Data: It retrieves a list of potentially malicious IP addresses from an external source (IPSum Level 4 feed).
-
Filter Valid IP Addresses: It uses a regular expression to ensure that only valid IP addresses are considered from the feed.
-
Identify Malicious IPs: It creates a distinct list of these valid IP addresses, which are considered potentially malicious.
-
Analyze Network Events: It checks network events (from
DeviceNetworkEvents) to see if any of these events involve the identified malicious IP addresses. -
Geolocation Information: For each network event involving a malicious IP, it retrieves geolocation information, such as country, state, city, latitude, and longitude.
-
Organize Output: Finally, it organizes the output to display relevant details like the timestamp, device name, remote IP, remote port, and the account name of the process initiating the connection.
The query is essentially the same for both Defender XDR and Sentinel, with a minor difference in the field name for the timestamp (Timestamp vs. TimeGenerated).
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators